Doman Name Server (DNS) records of Go Daddy-hosted websites have been compromised, potentially placing many at risk of being infected with malware known as ransomware.
By hacking DNS records, cyber crooks have been able to add one or more subdomains with corresponding DNS entries, so some visitors who access affected webpages are sent to malicious websites. Where hackers tricked people into visiting those subdomains, malware may have been downloaded onto victims’ machines. Such attacks are good at getting around security protections.
“The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers,” a blog post from security firm Sophos read. “This enables the attackers to use legitimate-looking URLs in their attacks, which can help to evade security filtering and trick users into thinking the content must be safe.”
Normally, as illustrated, victims can see they are at the wrong site, using the IP address, but this attack has apparently got round that.
From there, code runs, and exploit kit called ‘Cool’ is deployed and ransomware installed.
The ransomware served depends on the country of origin. In the UK, it is malware posing as a legitimate message from the Met’s Police e-Crime Unit (PCeU). It locks the computer, on the grounds that the computer was guilty of “unauthorised cyberactivity”, asking for payment to unlock it.
It remains unclear how the Go Daddy DNS records were hacked. The company had not responded to a request for comment at the time of publication.
Sophos suggested a likely cause was compromised user credentials, but was unable to check this as Go Daddy does not allow users to check historical login activity. “Enabling users to view historical login activity is a very simple way of helping to spot malicious activity early. Let’s hope Go Daddy change their stance on this,” the security firm added.
“Given the prevalence of attacks against web sites for the purpose of malware distribution it is high time that associated services (Registrars, hosting providers etc) pay adequate consideration to security.
“Users should not be allowed to use weak passwords. Two-factor authentication should be readily available, if not enforced.” Sophos has also contacted Go Daddy about the attacks.
In September, it was rumoured Go Daddy had been hacked, but the company said downtime was due to “a series of internal network events that corrupted router data tables”.
Think you’re a security pro? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
You may be interested that right now, i'm on the phone with GoDaddy regarding this very same issue..
my site http://www.foundersgyan.com has been injected with several subdomain entires
28j.foundersgyan.com/
7ot.foundersgyan.com/
etc.
All of these are being redirected to http://185.38.184.156 which is being blocked by my Anti-virus.
I'm pretty sure GoDaddy is not going to comment on this and just will solve the issue again without further action